How to build a modern UI App and deploy using Intune

A few weeks ago I came in contact with Douwe van de Ruit who is working at our partner KPN. Douwe is an expert in ConfigMgr & Intune and has experience with several Intune implementations, his personal blog is located here. He e-mailed me an internal document which describes how to develop a (simple) Modern App and deploy that using Intune Standalone. There are many guides available on how to develop apps and how to deploy existing apps – his guide bridges the gap in between. I proposed to write a joint blog, however he did the vast majority. Credits should go to him.

The purpose of this guide is to demonstrate how to Build and Deploy a modern UI App to Windows 8.1 using Windows Intune Standalone. This guide is based on a fictive organization named Contoso.com and is divided in three sections:

1. Building a Windows 8.1 modern UI demo app

Building a solid modern UI app requires programming skills in languages such as JavaScript, C++, C#, HTML and XAML. However, whenever you need to test or demonstrate the deployment of modern UI app or LOB (Line Of Business) app so to speak, it would be very nice to have some tools to build a simple demo app without programming skills. Fortunately, you have multiple options to achieve this, here are two:

ZipApp: A fast way to build a demo LOB app is by using http://zipapp.co.uk. The website’s app creator lets you quickly add pages or add simple integration widgets using Facebook, Twitter, Youtube or RSS feeds.

Microsoft Project Siena: If you want more functionality in your app you should check Microsoft’s Project “Siena”. Without any programming, you can create apps that connects to corporate data and content, and web services.

A Zip file is downloaded to your PC. Extract and review the files. Search for a file with the extension .jsproj. Doubleclick the file, in our example the file is named ZipApp.jsproj.

Note the popup after opening Visual Studio Express 2013. Click OK. This is because ZipApp generates apps based on Windows 8 SDK. Because we use the Windows 8.1 SDK we need to retarget the app to Windows 8.1.

At the right side of the console in the Solution Explorer right click the app and click Retarget to Windows 8.1. Click OK to retarget the app.

Click the play button Local Machine. Verify that the app is running normally using Visual Studio. Close the app by using Alt + F4 key combination.

OPTIONAL: If the app doesn’t start and returns errors you should review them. In a few tests we found that a trailing space in the DisplayName was corrupting the app manifest file. Remove the trailing space and run the app again. The app should now run fine.

After verifying the app open the manifest by double clicking the package.manifest file in the solution explorer. Using the app manifest the app can be prepared for code signing using a certificate. In this guide a test certificate is used. In real life you should request a code signing certificate from an enterprise PKI to avoid the need for installing the certificate on your clients by hand.

Visual Studio will open the file using a GUI which will make it easier to configure. Go to the Packaging tab and click Choose Certificate…

Click Configure Certificate… > Create test certificate. Enter a Common Name and choose a password (not required). Click OK. The certificate that will be used to sign the code will show up in the solution explorer.

At this point we have debugged the app and created a testing code signing certificate. Next step is to create the package files such as the appx file. Go to STORE > Create App Packages…

Because we don’t want to upload to the Windows Store select No. Click Next.

The build process will create a new folder AppPackages. In this folder you will find a subfolder holding all the files corresponding with the release you just created:

the Appx file

the code signing certificate that is used

a handy powershell script which can be used to install the app manually

dependency files such as WinJS, etc.

At this point we have created an appx package that is code signed and that can be deployed using ConfigMgr or Windows Intune.

2. Upload and configure the demo app in Windows Intune

This guide is based on a Windows Intune stand-alone scenario so in the following steps you will need a Windows Intune subscription with the Mobile Device Management Authority set to Windows Intune. You won’t need Single Sign-on or Active Directory synchronization.

Note: For those who have their Windows Intune subscription connected to a ConfigMgr 2012 site you should be able to complete all the steps. You don’t need to set the Mobile Device Management Authority because it is already set to ConfigMgr 2012 permanently.

If you have a stand-alone Windows Intune subscription complete the following step.

To set the Mobile Device Management Authority go to http://manage.microsoft.com and login with your admin credentials. Then go to Administration and click Set Mobile Device Management Authority. Click Yes. (if the link is greyed out the authority is already set, you can skip this step).

Set the user location to your country. For this guide United States is used. Finish the wizard. Write down the username and password for this test user. You will need this information later.

Go to http://manage.microsoft.com and go to Groups. On the right side of the console click Create Group. Enter a name and make sure that All Users is selected at the Select a parent group section and click Next.

On the Criteria Membership tab we don’t need to configure anything so click Next. On the Direct Membership click Browse… at the Include specific members section. Select your test user and click Add. Click OK. Click Finish.

At this point we have a test user which is member of a group that we are going to use for targeting the software using a deployment. Next thing would be to upload our modern UI app to Windows Intune.

Note: Although Windows Intune supports most browsers it would be best to use Internet Explorer to upload software to Intune. This is because the console uses a web installer to launch the Windows Intune Software Publisher which is a small application that is used to check and upload the software packages. Using other browsers you won’t get a seamless experience in using the Software Publisher.

In de management console go to Software. On the right side of the console click Step 1: Add Software. The web installer will be launched. Login using your admin credentials. The app will launch a wizard. Click Next.

On the Software description tab fill in the required description fields. Optionally, upload an app icon. Click Next. On the Summary tab click Upload. When finished uploading close the wizard. The Software Publisher will take care of encrypting the data, adding meta data to the package and uploading all the files to the Intune cloud.

In the management console go to the Software tab and click Managed Software. The app should be listed.

Now the package is successfully uploaded to Intune we can deploy it. Select the app and click Manage Deployment…. In the wizard select the group Contoso Demo App Users and click Add. Click Next.

On the Deployment Action tab select Available Install as the Approval setting. Click Finish.

There you go, all configurations that are required to deploy the modern UI demo app are done. Next thing to do is to enroll a Windows 8.1 client into Windows Intune by installing the Intune client software.

3. Deploy the demo app to a Windows 8.1 client

To successfully deploy a modern UI app to a Windows 8.1 client some rules have to be followed. There are two:

To install the app: The code signing certificate which is used to sign the app must be trusted on the client.

To execute the app: The app can be executed successfully if:

The client is an Enterprise domain joined version of Windows 8.1 OR

Sideloading keys must be configured for the apps for Windows RT and non-domain joined clients OR

A developer license must be activated on the client (testing only)

You may ask yourself why these rules exist. Well it is because they (partly) implement Microsoft’s approach on securing/trusting apps. For testing, complying with these rules can be achieved by making some configurations on the client.

For this guide we used a Windows 8.1 Enterprise x86 evaluation version which is member of a workgroup. To be able to install the app the code signing certificate can be installed manually. However to execute the app we will need sideloading keys because we did not setup an Active Directory and therefore the client will remain member of a workgroup. And because we don’t want to buy sideloading keys at this stage we will use a developer license as an alternative.

Before making the configurations the client must be enrolled into the Windows Intune service.

On the test client: Go to http://portal.manage.microsoft.com and login with the test user credentials. After login the you will be prompted to update the password. Enter the passwords and click Submit.

Once logged into the company portal webpage click Add Device. On the Enroll your computer page click DOWNLOAD SOFTWARE to download and install the Windows Intune client. You will need administrative permissions.

Important: After the setup finished the Windows Intune client may take up to 30 minutes to fully initialize and register itself as a management agent on the client and into the Windows Intune service. Make sure that no pending updates or reboots are preventing the Windows Intune client from installing or initializing.

To check if the client was successfully enrolled check the logfile C:\Program Files\Microsoft\OnlineManagement\Logs\Enrollment.log. Check additional logs as well.

To check if the client is fully initialized you can check the client icon in the taskbar. The sandglass icon should disappear in a few minutes.

wait for a few minutes….

Now go back to http://portal.manage.microsoft.com and login with the test user again if the session expired. Go to the main page and scroll down. Notice that the client is added as a new device however the Demo App not yet.

Note: In real life this setting is configured using a Group Policy. On test clients configuring it by hand would be sufficient.

Try to install the app be clicking it. Notice that you will need the Company Portal App to really install the app. You cannot install apps from the Company Portalwebsite. Download and install the Company Portal app from the Windows Store.

Install the Company Portal app from the Windows Store. After it’s installed search the app icon and click to start the app.

Note: The company portal app should only be installed when the Windows Intune client is fully initialized. .

Login to the Company Portal app using the test user credentials. Notice that the company portal app has the same look and feel as the company portal website. Click the Demo App icon to install the app.

The installation will fail because the Windows 8.1 client is not trusting the code signing certificate yet. To do so, copy the code signing certificate from the app package source folder to the client and import the certificate. Use the Local Machine as Store Location and place it in the Trusted Root Certification Authorities store.

After installing the certificate go back to the company portal app and re-install the Demo App. Now it will install successfully.

Starting the app will fail because we don’t have an enterprise domain joined client or configured sideloading keys. Because we cannot use either two we are going to activate a developer license. Open a powershell prompt with administrative (elevated) permissions and run the following command: Show-WindowsDeveloperLicenseRegistration Use a Microsoft account to sign in and complete the wizard.

You can now close PowerShell. If you want to check your developer license status later, you can use the following PowerShell command:

Get-WindowsDeveloperLicense

It will return an object stating whether the license is valid, and what the expiration date is. You can also remove/deactivate the developer license using the following PowerShell command:

great walkthrough, I asked our app developer to use the new Symantec Code signing certificate we purchased to sign the Windows Company Portal for our organisation. They say they get an error using this certificate as the EKU’s are wrong. I would have thought
it would be the perfect certificate?

We ran into this issue as well. The workaround we adopted was to change the setting for EnableSigningChecks in the MSBuild config (C:Program Files (x86)MSBuildMicrosoftVisualStudiov14.0AppxPackageMicrosoft.AppxPackage.Targets) to false. This supresses
the extra checks on EKUs in the IDE, allowing you to add the certificate to the manifest. If anyone has a better, more sane solution, that would be great! 🙂

We had the same issue and applied the suggested work around as above. Would prefer that this was fixed properly, looks like an issue with the way Symantec are adding the unknown key usage to the certificates.